# Critical Vulnerabilities in SonicWall SMA1000 Series Under Active Attack

*Published July 17, 2026*
*Source: [https://cybersecuritynews.com/sonicwall-sma1000-0-day-vulnerability-2/](https://cybersecuritynews.com/sonicwall-sma1000-0-day-vulnerability-2/)*

## Executive Summary

SonicWall's SMA1000 Series remote access appliances are facing active exploitation due to two critical vulnerabilities, with one allowing unauthenticated remote code execution. Organizations must urgently patch affected systems to prevent unauthorized access and potential network breaches.

## Article

SonicWall has disclosed two significant vulnerabilities in its SMA1000 Series remote access appliances, which are being actively exploited by threat actors. The first vulnerability, identified as CVE-2026-15409, is a server-side request forgery flaw with a critical CVSS score of 10.0. The second is a high-severity local privilege escalation issue, CVE-2026-15410. Both vulnerabilities are now part of CISA's Known Exploited Vulnerabilities catalog, highlighting their exploitation in real-world scenarios.

The exploitation process begins with the /wsproxy feature in the SonicWall WorkPlace application, which is designed to tunnel TCP traffic. However, attackers are redirecting this traffic to localhost, gaining unauthorized access to internal services. They then target an Erlang process on port 1050 that uses a hardcoded authentication cookie, allowing remote code execution without credentials. Once inside, attackers use CVE-2026-15410 to escalate privileges to root by manipulating the remove_hotfix workflow, executing malicious scripts and often causing a device reboot.

The affected models include the SMA1000 Series 6210, 7210, and 8200v, running specific firmware versions. Importantly, SonicWall firewalls' SSL VPN and the SMA 100 Series are not impacted. Researchers from Rapid7 have noted that compromised appliances are being used as entry points into corporate networks, with attackers harvesting credentials and accessing Active Directory environments. Indicators of compromise include unusual login patterns from non-corporate devices.

A public proof-of-concept for CVE-2026-15409 is already available, and a Metasploit module is reportedly in the works, which may lead to increased exploitation attempts. Organizations using SMA1000 appliances are urged to prioritize applying patches immediately to mitigate these risks.
